Whether it's about exploiting operating system and software vulnerabilities or manipulating network traffic, every attack relies on the reachability between an attacker and the targeted devices.
In recent years, we have seen how hundreds of widely used smart-but-insecure devices made it easier for remote attackers to sneak into connected networks without breaking WiFi passwords.
In the latest research shared with The Hacker News, Check Point experts today revealed a new high-severity vulnerability affecting Philips Hue Smart Light Bulbs that can be exploited over-the-air from over 100 meters away to gain entry into a targeted WiFi network.
The underlying high-severity vulnerability, tracked as CVE-2020-6007, resides in the way Philips implemented the Zigbee communication protocol in its smart light bulb, leading to a heap-based buffer overflow issue.
ZigBee is a widely used wireless technology designed to let each device communicate with any other device on the network. The protocol has been built into tens of millions of devices worldwide, including Amazon Echo, Samsung SmartThings, Belkin Emo and more.
"Through this exploitation, a threat actor can infiltrate a home or office's computer network over-the-air, spreading ransomware or spyware, by using nothing but a laptop and an antenna from over 100 meters," the Check Point researchers told The Hacker News.
Check Point also confirmed that the buffer overflow happens on a component called the "bridge" that accepts remote commands sent to the bulb over Zigbee protocol from other devices like a mobile app or Alexa home assistant.
How Does Philips Smart Bulbs Vulnerability Work?
Though researchers choose not to reveal complete technical details or PoC exploit for the flaw at this moment to give affected users enough time to apply patches, they did share a video demonstrating the attack.
As shown in the video, the attack scenario involves:
- By exploiting a previously discovered bug, an attacker first takes control over the smart bulb.
- This makes the device 'Unreachable' in the users' control app, tricking them into resetting the bulb and then instructing the control bridge to re-discover the bulb.
- The bridge discovers the hacker-controlled bulb with updated firmware, and the user adds it back onto their network.
- The hacker then exploits the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, allowing him to install malware on the bridge that's connected to the targeted network.
- The hacker can use malware to infiltrate the network, eventually leaving millions of other devices connected to the same network at risk of remote hacking.
"Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware," Yaniv Balmas, Head of Cyber Research at Check Point Research, told The Hacker News.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
Check Point responsibly reported these vulnerabilities to Philips and Signify, owner of the Philips Hue brand, in November 2019, who just last month released an updated, patched firmware for the device.
"It's critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today's complex cyberattack landscape, we cannot afford to overlook the security of anything that is connected to our networks."
If automatic firmware update download feature is not enabled, affected users are recommended to manually install patches and change settings to revive future updates automatically.